[NCLUG] I was hacked!

Michael Dwyer mdwyer at sixthdimension.com
Fri Dec 29 11:06:28 MST 2000


At 09:51 AM 12/29/00 -0700, you wrote:
>On Fri, Dec 29, 2000 at 01:08:14AM -0700, John L. Bass wrote:
> >Remote updates/management is NOT hands free ... "hands free", is a 
> distribution
> >which has been well enough shaken out, that you CAN/WILL be willing to 
> deploy
> >for more than 12-24 months without changing in any way.
>
>If you believe you can deploy a system to desktops for 12 to 24 months
>without doing any sorts of updates, you deserve what you get...  You're
>effectively deciding to put "hands off" over security because there
>*WILL* be updates that have to be done in this time.

We need something that is not purely hands-off, but not the pain of full 
hands-on.
We just need something that doesn't get the hands dirty.  That is why we 
are all
looking at auto-update schemes.  We want a way to handle small updates 
without too
much input on out part.  Unless you are dedicated to workstation maintenance, I
don't think you can truly do anything /but/ auto-update.  The trick, then, 
is to
make auto-update more paletable.

> >the intent to obscure a trojan. It quickly falls back to a trust issue. Can
> >you positively prove the NSA or KGB (or less organized hackers) do not have
> >a back door installed in the system, carefully constructed from several
> >unrelated subsystems?
>
>So, you seem to believe that the requirements you've set up for a desktop
>system are unachievable?

You always have to pick a point and defend it.  That is, you cannot win. 
Period.
You can, however, make it so expensive to attack you that only the best get 
you.
The NSA is not even on my scope.   Who cares what they see?  Furthermore, I
cannot lose sleep at night over the NSA when any delivery boy can swipe my 
backup
tapes off the shelf.  Security has many, many facets.  Its sort of crazy to go
overboard about 8192 bit keys when you leave your front door unlocked...

>It's too bad that tripwire is so painful to set up.  It's a great idea, but
>requires too much of an investment up-front...

That's what your distributions do for you.  (Or RPM does for you, in a sense.)

> >I don't know why you brought windows into this?? was there a point I missed?
>
>Apparently...  Windows *IS* currently being deployed "successfully" as a
>desktop operating system.  If you're going to talk about what's required
>for a successful deployment then it's worthwhile to compare your points
>with existing art.

Ah yes.  Forgive me.  I mentioned that Windows Update existed.  I thought it
was a Good Thing, despite the big brother connotations of it.

> >My point was, the current attacks aren't *EVEN* interesting ... the game 
> is just
> >getting started ... do you really disagree? You seemed to imply that the 
> ultimate
>
>There are some reasonable solutions to this problem, that's all I'm saying.
>I think that your points that somone has a 10^614:1 chance of hitting the
>correct key to break down a system like up2date by trying 1000 random keys
>is not beneficial...

My point is, all this stuff in fine for the bank and the ecommerce site, but
they are insanity to the dorm resident and the DSL owner who is getting owned
by some scriptkiddie because they didn't update, or even worse, disabled the
update mechanism because of their misplaced paranoia.

> >Is your position that all these "trust" issues, have a technological 
> solution?
>
>My position is that discarding current solutions to the problem because of
>mythical problems with them is a disservice to the people that the current
>systems will help.  If you want the ultimate security, store your system
>in a huge block of concrete at the bottom of the ocean.  Don't try to
>convince people that they shouldn't be using tools that work today because
>they might not work tomorrow.  We don't get anywhere by doing that.

Right.  What he said.  Pick your battles, don't pick too high, and start
working.  Stop wringing the hands about problems you can't control, and
fix the little ones that you /can/ control.




More information about the NCLUG mailing list